This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

question about global protect

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

question about global protect

Radmin_85
L4 Transporter

‎09-21-2017 08:39 AM

Let us assume that you have users in your company and they have company comps with global protect client installed

They take their notebooks home.is it possible somehow by global protect to forbid connect to home internet without using GP?OR is it possible to make any configuration so hat user can not disconnect the global protect.?for example by clearing credentails and so on

0 Likes Likes
2 REPLIES 2

rmfalconer
L5 Sessionator

‎09-21-2017 09:23 AM

You can use the always-on feature to force GP to connect so that all traffic flows through your company controlled network. Is that what you're looking for?

Mick_Ball
L7 Applicator
In response to rmfalconer

‎09-21-2017 10:08 AM

the always on option only enforces traffic down the VPN once connected. so if the user cannot connect either by mistake or on purpose then the internet will be available to that user so long as they prevent GP from connecting,

 

you need to use the "enforce globalprotect for network access" and set to "yes"

 

this will block all traffic until the GP client has connected.

 

that has answered your question but please note...

 

 this will cause an issue for networks with captive portal authentication such as hotels libraries etc.

 

the app has a setting that will allow the above setting to be delayed so that the user can authenticate to the captive portal/public wifi and then GP connects.

 

this is ok for IT peeps but most of our users forgot about the timing issue. i don't use it.

 

I use a proxy.pac file that only allows direct traffic to the portal and gateways, all other traffic is sent to a duff proxy.

 

when GP connects the pac file is aware that a local resource is available and then sends all traffic direct, this of course is then sent down the tunnel by GP client.

 

the users still experience public captive portal issues so for this I have created an icon on desktop that browses to the vpn url.

this is allowed by the pac file and the captiver portal kicks in. user auths, gp recognises change in network and proceeds to connect.

 

this works well for both windows and IPad,

 

 

0 Likes Likes
  • 1995 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks